VulnerableCode Package Details - pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.42

Search for packages

Vulnerability	Summary	Fixed by
VCID-fpgj-82wf-ykbw Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	10.1.43 Affected by 0 other vulnerabilities. 11.0.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fpgj-82wf-ykbw
Aliases:
CVE-2025-53506
GHSA-25xr-qj8w-c4vf

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

10.1.43
Affected by 0 other vulnerabilities.

11.0.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-246u-a4rh-yyd4	Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49125 GHSA-wc4r-xq3c-5cf3
VCID-bks8-nvm9-vbgy	Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49124 GHSA-42wg-hm62-jcwg
VCID-gb2v-96xj-ybad	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-48988 GHSA-h3gc-qfqq-6h8f

Vulnerability

Summary

Aliases

VCID-246u-a4rh-yyd4

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49125
GHSA-wc4r-xq3c-5cf3

VCID-bks8-nvm9-vbgy

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49124
GHSA-42wg-hm62-jcwg

VCID-gb2v-96xj-ybad

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-48988
GHSA-h3gc-qfqq-6h8f

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:33:01.341718+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.4.0
2026-04-16T23:31:10.144265+00:00	GitLab Importer	Fixing	VCID-gb2v-96xj-ybad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-48988.yml	38.4.0
2026-04-16T23:31:10.001244+00:00	GitLab Importer	Fixing	VCID-246u-a4rh-yyd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49125.yml	38.4.0
2026-04-16T23:31:09.070515+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49124.yml	38.4.0
2026-04-12T00:52:59.831194+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.3.0
2026-04-12T00:50:57.109316+00:00	GitLab Importer	Fixing	VCID-gb2v-96xj-ybad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-48988.yml	38.3.0
2026-04-12T00:50:56.953823+00:00	GitLab Importer	Fixing	VCID-246u-a4rh-yyd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49125.yml	38.3.0
2026-04-12T00:50:55.957488+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49124.yml	38.3.0
2026-04-07T04:58:04.550805+00:00	GHSA Importer	Fixing	VCID-gb2v-96xj-ybad	https://github.com/advisories/GHSA-h3gc-qfqq-6h8f	38.1.0
2026-04-07T04:58:03.946022+00:00	GHSA Importer	Fixing	VCID-246u-a4rh-yyd4	https://github.com/advisories/GHSA-wc4r-xq3c-5cf3	38.1.0
2026-04-07T04:58:03.813322+00:00	GHSA Importer	Fixing	VCID-bks8-nvm9-vbgy	https://github.com/advisories/GHSA-42wg-hm62-jcwg	38.1.0
2026-04-03T01:01:09.189154+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.1.0
2026-04-03T00:59:00.777561+00:00	GitLab Importer	Fixing	VCID-gb2v-96xj-ybad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-48988.yml	38.1.0
2026-04-03T00:59:00.637961+00:00	GitLab Importer	Fixing	VCID-246u-a4rh-yyd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49125.yml	38.1.0
2026-04-03T00:58:59.676595+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49124.yml	38.1.0
2026-04-02T12:41:35.659000+00:00	GitLab Importer	Fixing	VCID-gb2v-96xj-ybad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-48988.yml	38.0.0
2026-04-02T12:41:35.574099+00:00	GitLab Importer	Fixing	VCID-246u-a4rh-yyd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49125.yml	38.0.0
2026-04-02T12:41:35.442175+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-49124.yml	38.0.0
2026-04-01T12:56:55.641231+00:00	GithubOSV Importer	Fixing	VCID-bks8-nvm9-vbgy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json	38.0.0
2026-04-01T12:56:54.160418+00:00	GithubOSV Importer	Fixing	VCID-246u-a4rh-yyd4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json	38.0.0
2026-04-01T12:56:50.873954+00:00	GithubOSV Importer	Fixing	VCID-gb2v-96xj-ybad	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json	38.0.0